US ports building up cyberattack defenses

US ports building up cyberattack defenses

Cyber security is a top concern among transportation executives after years of neglect.

US port authorities, their awareness of the risk of cyber-attacks dramatically heightened by the June attack on the Maersk Group, are grappling with how to secure their terminal information technology systems while at the same time meeting the need to share information to improve supply chain performance.

Several port authorities told JOC’s Port Performance North America Conference on Wednesday that they take the threat very seriously, and — even before the attack — had taken steps to assess the security of their computer systems and increase protection.

John F. Reinhart, CEO and executive director of the Port of Virginia, said the port believes that question is no longer “if” an attack happens, but “when.”

“I think we are all in the same place,” Reinhart told the conference, speaking on a panel with five other port heads that focused on port issues. “Let’s assume we are going to get hit. How quickly can we shut it down and then get it back into operations? And try to shorten the time to recover. So it’s one of the things that keeps us all awake at night.”

Yet that task is made more complicated by the growing demand for ports and other parts of the supply chain to “connect” with each other, said Dustin Stoker, chief operating officer of the Northwest Seaports Alliance. Demands by beneficial cargo owners, logistics providers, and other stakeholders in the supply chain for more “visibility,” so that they can better track cargo and prepare for its arrival, increasingly require that players in the chain share information. That requires their computer systems talk to each other, which potentially could provide an entryway for an attacker.

So even as the ports and other stakeholders “are doing the right thing and trying to connect, trying to get more stakeholders to exchange data,” Stoker said, they are also increasing the risk of an attack. That risk was smaller in the past, because if a single terminal suffered an attack, it was only one terminal “not the entire network,” as could happen now, he said.

“So it [security] becomes ever more important as we are doing the right thing in trying to integrate the supply chain,” he said. “The cyber security portion is going to become ever more a risk factor that we have got to make sure we are accounting for.”

The attack on Maersk, by a destructive virus known as NotPetya, was part of an onslaught that hit an estimated 2,000 systems in Europe and North America — including Russian oil giant Rosneft and chemical giant Merck, according to computer security firm Kaspersky Labs. Aside from the carrier business, Maersk units affected included its terminal operator unit APM Terminals and forwarding unit Damco.

The attack shut down APM Terminals’ fully automated Maasvlakte II terminal in Rotterdam and triggered long truck lines for days at APM Terminals’ facility in the Port of New York and New Jersey, where the computers, phones, and gate system shut down, forcing terminal workers to go back to using paper to document cargo movements. Through it all, however, Maersk says it did not stop cargo moving around the world, and did so by using smartphone applications such as Whatsapp and Twitter, along with Post-its and spreadsheets.

Maersk estimates that the attack cost it $250 million to $300 million. Still, the carrier said in November that — assisted by increased freight rates — it expects to make a profit of more than $600 million in 2017, rather than the loss of $384 million in 2016.

Two cyber specialists speaking on a different panel at the Port Performance North America Conference said that although the attack dramatically increased the shipping industry’s awareness of the need to prepare for such a digital invasion, many companies are still vulnerable to major disruption from such an attack.

Industry executives now recognize the need for security measures to protect their computer systems against an attack — a big advance from the general denial of a few years ago that a threat existed, Lars Jensen, CEO of consultant CyberKeel told the conference.

“Four years ago, the reaction from the entire maritime community to cyber security was the same: ‘There is no problem,’” said Jensen. That has improved incrementally in recent years, with businesses acknowledging the problem, but doing little tangible to prevent an attack, he said.

“After the Maersk attack, one tangible action that I have seen is there is a sudden interest, finally, to at least take the first step,” and begin to assess their company’s vulnerability to an attack, Jensen said. That is often done by a “white hat” hacker, who is hired to try and breach a company’s computer system to determine the system’s vulnerabilities and how to eradicate them.

Yet many companies have taken few serious steps to protect themselves, said Susan Kohn Ross, partner, and cyber security and privacy practice chair for law firm Mitchell Silberberg & Knupp.

“Everyone understands it’s going to happen,” she said, but added, “You really haven’t seen, I don’t think, a lot of companies want to do, or be able to do, anything.” Kohn Ross said she sees a lot of companies, especially smaller companies, who have the attitude of, “Jeez, I can’t do anything about it anyway. So I am just going to hope for the best.”

The port executives, however, said they regard cyber security as a top priority.

Stoker said the ports of Seattle and Tacoma carried out a risk assessment three years ago, and “we have been actively implementing the recommendations that have come out.” Edward McCarthy, chief operating officer of Georgia Ports Authority, said the port had hired a “white [hat] hacker,” to test the port’s computer security system from outside.

Ryan Mariacher, director of container operations at Port Houston, said the port also has hired an external consultant to test its systems, and — assuming that it will get attacked at some point — routinely asks the questions, “So what are your plans when something does happen? How resilient are you? What are your disaster recovery measures?”

Although companies cannot completely eradicate the possibility of an attack, they can limit the risk, and the impact, said Jensen and Kohn Ross. That includes looking at all the ways that external computers connect to a corporate computer system and offer a hacker a potential way in. That list now includes such apparently innocuous items as smartphones and — thanks to the so called “internet of things” — webcams, refrigerators, and televisions, Jensen said.

He said that Maersk, for example, was not the target of the attack, but was collateral damage because it used software that the Ukrainian government required all vendors in the country to use when reporting their taxes. As a result, everyone who used the software was attacked, he said.

“There is no way to defend yourself against that,” he said. “The objective of cyber security is not to make us perfectly safe … But it’s about raising the level to the point where the risk of something catastrophic happening is reduced to at least a minimum that we can live with.”

That vulnerability makes it imperative that companies in other parts of the supply chain take steps to protect themselves as much as possible, Kohn Ross said. Fortune 500-size companies, for example, require their vendors to have a “robust cyber security system,” and to undergo “white hat penetration” to minimize their vulnerability, she said. That is possibly out of reach for smaller companies, but they need to consider such steps, she said.

Companies also need to prepare for the disruption of an attack by creating a backup plan that will enable them to get up and running, Jensen said.

“You have to start with: ‘What if we have no computers 10 minutes from now?’” Jensen said. “And I really mean no computers, no phones, no servers, nothing. How do we establish business from that point.

“Right now, almost no companies truly have that plan,” he added. “Because in the back of their minds is, ‘Well, we will probably have something up and running.’ No you won’t. You will literally have nothing. You will literally have to go down to the local store to buy 100 laptops.”